1. Patchew
  2. Libvirt
  3. [PATCH 0/8] Further Debian/Ubuntu Apparmor Delta
  4. View patch

[PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets

Christian Ehrhardt posted 8 patches 5 years, 6 months ago
There is a newer version of this series
[PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets
Posted by Christian Ehrhardt 5 years, 6 months ago 
From: Serge Hallyn <serge.hallyn@ubuntu.com>

Chardevs/sockets configured for openvswitch-dpdk use cases
might be probed by virt-aa-helper. Allow that access to enable
virt-aa-helper rendering per-guest rules for the actual qemu
guest accessing these sockets eventually.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index 3f204799a6..877cb04b1e 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   @sysconfdir@/apparmor.d/libvirt/* r,
   @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
 
+  # for openvswitch sockets
+  /{,var/}run/openvswitch/** rw,
+
   # for backingstore -- allow access to non-hidden files in @{HOME} as well
   # as storage pools
   audit deny @{HOME}/.* mrwkl,
-- 
2.27.0
Re: [PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets
Posted by Jamie Strandboge 5 years, 6 months ago 
On Mon, 03 Aug 2020, Christian Ehrhardt wrote:

> From: Serge Hallyn <serge.hallyn@ubuntu.com>
> 
> Chardevs/sockets configured for openvswitch-dpdk use cases
> might be probed by virt-aa-helper. Allow that access to enable
> virt-aa-helper rendering per-guest rules for the actual qemu
> guest accessing these sockets eventually.
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
> ---
>  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> index 3f204799a6..877cb04b1e 100644
> --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
>    @sysconfdir@/apparmor.d/libvirt/* r,
>    @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
>  
> +  # for openvswitch sockets
> +  /{,var/}run/openvswitch/** rw,

A bit unfortunate and unexpected. What kind of probing does
virt-aa-helper do on these?

-- 
Jamie Strandboge             | http://www.canonical.com
Re: [PATCH 7/8] apparmor: allow virt-aa-helper to read openvswitch sockets
Posted by Christian Ehrhardt 5 years, 6 months ago 
On Mon, Aug 3, 2020 at 5:13 PM Jamie Strandboge <jamie@canonical.com> wrote:

> On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
>
> > From: Serge Hallyn <serge.hallyn@ubuntu.com>
> >
> > Chardevs/sockets configured for openvswitch-dpdk use cases
> > might be probed by virt-aa-helper. Allow that access to enable
> > virt-aa-helper rendering per-guest rules for the actual qemu
> > guest accessing these sockets eventually.
> >
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> > Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> > Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
> > ---
> >  src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > index 3f204799a6..877cb04b1e 100644
> > --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
> > @@ -46,6 +46,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
> >    @sysconfdir@/apparmor.d/libvirt/* r,
> >    @sysconfdir@/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*
> rw,
> >
> > +  # for openvswitch sockets
> > +  /{,var/}run/openvswitch/** rw,
>
> A bit unfortunate and unexpected. What kind of probing does
> virt-aa-helper do on these?
>

I'm so glad we do this exercise and you have the "investigative hat on" to
challenge the few bits of the series that seem odd.
I have read through virt-aa-helper again with a focus on this and at least
today's openvswitch-dpdk+libvirt should not need this anymore.

It seems this was a wild guess many years ago and added for bug 1513367 but
eventually (or just noadays) is no longer needed.

I have set up a 20.04 based openvswitch-dpdk system and dropped the rule.
Once with vhostuserclient and once on an older system with the older
vhostuser type connection.

Things are still working, so I'm removing this rule from this series as
well as from the Ubuntu builds.


> --
> Jamie Strandboge             | http://www.canonical.com
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.